WebSphere® Application
Server provides message-level protection for its security token service,
known
as the WebSphere Application
Server trust service. For the trust service, you must use a special
class
of policy sets known as system policy sets.
Before you begin
You can secure requests to the trust
service by using two different
configuration methods:
- Use the administrative console to define
and attach a system policy set
and binding to a trust service operation that is associated with an
endpoint.
- Use the wsadmin tool, which supports the Jython
and Jacl scripting languages,
to configure system policy sets for the trust service. You can manage
the
policies for the Quality of Service (QoS) by creating policy sets
and managing
associated policies.
About this task
For WebSphere Application
Server trust service security, you must configure the system policy
sets,
the bindings, the trust service attachments, and the security cache.
Perform
the following high-level steps. The order of the tasks is not important
but
all high-level required steps must be performed to complete the trust
configuration.
Procedure
- Define a new system
policy set or manage existing system policy
sets. To manage system policy sets, you can perform the
following
tasks:
- Define
the system policy set and binding. The system policy
set
can be a new or existing policy set. If you create a new system policy
set,
you must specify and configure the policy types. A default binding
configuration
is associated with each policy type.
- Modify
the system policy set, as needed.
Other optional
policy
set-related tasks that you can perform include:
- Add, edit,
or remove policy set attachments.
- Edit, enable, disable or
remove policy types
- Create a system policy set by selecting
and copying an existing system
policy set. When copying an existing system policy set, you also specify
whether
to move the existing attachments to this new system policy set.
- Delete
system policy sets. You cannot delete pre-configured system policy
sets that are provided by WebSphere Application Server
by default.
- Archive a system policy set by selecting and exporting
an existing system
policy set. When exporting an existing system policy set, you create
a .zip
archive file. The .zip file for exporting the policy set is provided
for downloading.
For example, if you have a policy set named ABC_ps and you want to
export
and move the archive file from ServerA to ServerB, first use the export
function
to create the .zip file. Then, manually transfer the archive file
to ServerB.
- Create
and manage explicit attachments.
You can perform the following trust service attachment tasks:
- Attach
the system policy set and assign a binding to an endpoint.
For
an endpoint, you can create explicit attachments for each of the four
trust
service operations to the respective Trust Service Defaults policy
sets and
bindings. After you have created these initial attachments, you can
view and
further modify existing policy set and binding configurations.
- Modify
existing policy set attachment and binding configurations, as needed..
The system policy set can be a new or existing policy set. If
you create
a new system policy set, you must specify and configure the policy
types.
A default binding configuration is associated with each policy type.
The
system policy set that is attached to issue and renew must correspond
to the
client and endpoint’s bootstrap policy set and the system policy set
attached
to validate and cancel must correspond to the client and endpoint’s
application
policy set. The bootstrap policy set for the endpoint service is only
required
if the endpoint service makes issue and renew requests to the trust
service.
Other
optional attachment-related tasks that you can perform include:
- Change the system policy set and binding configurations.
- Create
custom system policy sets and bindings.
- Attach each of the
four default trust service operations to a system policy
set and binding.
- Attach each of the four trust service operations
associated with a specific
endpoint to a system policy set and binding.
- Specify that
the selected trust service operations for an endpoint inherit
the respective default trust service policy set and binding.
- Assign
the Default binding or a custom binding configuration to the selected
policy set attachment.
- Update the trust service runtime configuration.
- Manage the security
context token provider that the trust service
provides. You can perform the following trust service token
provider
tasks:
- Modify
the configuration of the Security Context Token provider, as needed..
Other optional token provider-related tasks that you can
perform
include:
- Update the trust service runtime configuration
for any token provider
configuration changes.
- Manage the trust service default token provider and any
endpoints
that have an explicitly assigned token (rather than inheriting from
the default). Targets are endpoints that
are assigned a specific token provider. You
can perform the following trust service target tasks:
- Create
a new trust service target by explicitly assigning a service endpoint
URL
to the default token provider.. Performing this
task creates
an explicit assignment to the default trust service token provider,
the Security
Context Token. All other endpoints inherit the trust service default
token
provider.
- Configure
a target. WebSphere Application Server
defines one default
supported token provider, the Security Context Token. Other tasks
that you
can perform for existing targets include:
- Modifying one or
more endpoints that have a security context token provider
explicitly assigned.
- Changing the token provider for an endpoint
from inherited to explicitly
assigned. Therefore, the token provider for the endpoint does not
change as
the default trust service token provider changes.
- Changing
the token provider for an endpoint from explicitly assigned to
inherited. Therefore, the token provider for the endpoint is the default
trust
service token provider and changes as the default changes.
- Updating
the trust service runtime configuration.
- Configure
the security cache. You can change the behavior
of client-side
security caching.
- Update
the trust service runtime configuration. You must
update
the runtime configuration whenever one or all of the following trust-related
items are created or changed:
- Trust service attachments
- Token
providers
- Targets
Results
After
the configurations are completed and the trust service runtime
configuration has been updated, you have used the administrative console
to
secure requests to the trust service by using system policy sets.